CVE-2025-21787 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
team: better TEAM_OPTION_TYPE_STRING validation
syzbot reported following splat [1]
Make sure user-provided data contains one nul byte.
[1]
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vsprintf.c:633 [inline]
string+0x3ec/0x5f0 lib/vsprintf.c:714 vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 __request_module+0x252/0x9f0 kernel/module/kmod.c:149 team_mode_get drivers/net/team/team_core.c:480 [inline]
team_change_mode drivers/net/team/team_core.c:607 [inline]
team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 team_option_set drivers/net/team/team_core.c:375 [inline]
team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:733 ____sys_sendmsg+0x877/0xb60 net/socket.c:2573 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627 __sys_sendmsg net/socket.c:2659 [inline]
__do_sys_sendmsg net/socket.c:2664 [inline]
__se_sys_sendmsg net/socket.c:2662 [inline]
__x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability identified as CVE-2025-21787 resides within the Linux kernel's team driver implementation, specifically in how it handles user-provided string options during network teaming operations. This flaw manifests as inadequate validation of TEAM_OPTION_TYPE_STRING inputs, creating a potential pathway for uninitialized memory access and subsequent system instability. The issue was detected by syzbot, an automated fuzzer that identifies kernel-level vulnerabilities, and results in a KMSAN (Kernel Memory Sanitizer) error indicating uninitialized value access during string processing operations. The kernel's string handling functions, particularly those in lib/vsprintf.c, are invoked during the processing of user-supplied data through the team network driver's configuration interface.
The technical root cause stems from insufficient validation of user input within the team driver's option setting mechanism. When a user attempts to configure teaming options via netlink communication, the system processes these inputs without ensuring proper null-termination of string data. This oversight allows for memory access patterns that may read uninitialized data from kernel memory, potentially exposing sensitive information or causing system crashes. The call stack demonstrates the path from user-space netlink socket communication through the generic netlink family handlers down to the team driver's option processing functions, where the validation failure occurs during the string processing phase. This vulnerability aligns with CWE-457, which describes uninitialized variables, and represents a classic case of improper input validation leading to memory safety issues.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable information disclosure or privilege escalation scenarios. An attacker could exploit this weakness by crafting malicious netlink messages containing specially formatted strings that trigger the uninitialized memory access. While the immediate effect appears to be a kernel panic or memory corruption, the broader implications include potential data leakage from kernel memory regions or the possibility of escalating privileges if the uninitialized reads can be controlled to access sensitive kernel structures. The vulnerability affects systems using the team network driver for link aggregation, which is commonly found in enterprise networking environments and server configurations where high availability and bandwidth aggregation are required. This makes it particularly concerning for infrastructure systems where stability and security are paramount.
Mitigation strategies for this vulnerability include applying the kernel patch that enforces proper null-byte validation for string inputs in the team driver's option handling code. System administrators should prioritize updating their kernel versions to include this fix, particularly in production environments where the team driver is actively used. Additionally, monitoring for suspicious netlink traffic patterns and implementing network segmentation can help reduce the attack surface. The fix specifically addresses the validation logic in team_mode_option_set and related functions within the drivers/net/team/team_core.c file, ensuring that user-provided strings are properly null-terminated before processing. Organizations should also consider implementing kernel hardening measures such as stack canaries, kernel address space layout randomization, and controlling access to netlink sockets to limit potential exploitation vectors. This vulnerability demonstrates the importance of robust input validation in kernel space, where improper handling can lead to serious security implications that extend far beyond the immediate functionality affected.